openstack/neutron
Code Issues Proposed changes

Make API policies for tags to be working with resource attributes

Browse Source 
This patch changes API policies for tags added with [1] but as "target"
to the policy.enforce() function there was only parent's id passed, not
the whole parent dictionary. Because of that policies related to tags
couldn't match on the parent's attributes, like e.g. network's "shared"
attribute.
This patch changes that so now the dict with all attributes used
potentially by the API policies is passed as target to the
policy.enforce()

Additionally this patch changes names of the actions related to the tags
in the API policy rules. Patch [1] introduced names like
"<action>_<resource_plural_name>_tags", for example
"update_networks_tags". This patch changes that to the pattern
"<action>_<resource_singular>:tags", for example: "update_network:tags"
as this is now consistent with all other actions and attributes in the
API policies in Neutron APIs.

Finally it also renames "parent" to the "obj" in the tagging extension
to not treat resources like e.g. network or port, etc. as parent of the
tag. Tag is more like attribute of that resource, not the child resource
of it.

[1] https://review.opendev.org/c/openstack/neutron/+/935883

Closes-bug: #2091493
Change-Id: I665ed178e4a2e01d7f94cac6b9d3b482c3ed17a8
This commit is contained in:
Slawek Kaplonski
2024-12-20 16:14:30 +01:00
committed by Brian Haley
parent 27cbd9821e
commit d2a3654e01
24 changed files with 994 additions and 633 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
neutron/conf/policies/floatingip.py
View File

@@ -77,11 +77,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_floatingips_tags',
name='create_floatingip:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
description='Create the floating IP tags',
operations=ACTION_POST_TAGS,
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='create_floatingips_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_floatingip',
@@ -105,11 +110,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_floatingips_tags',
name='get_floatingip:tags',
check_str=base.ADMIN_OR_PROJECT_READER,
description='Get the floating IP tags',
operations=ACTION_GET_TAGS,
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='get_floatingips_tags',
check_str=base.ADMIN_OR_PROJECT_READER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -130,11 +140,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_floatingips_tags',
name='update_floatingip:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
description='Update the floating IP tags',
operations=ACTION_PUT_TAGS,
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='update_floatingips_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -155,11 +170,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_floatingips_tags',
name='delete_floatingips:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
description='Delete the floating IP tags',
operations=ACTION_DELETE_TAGS,
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='delete_floatingips_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
]

29
neutron/conf/policies/network.py
View File

@@ -181,11 +181,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_networks_tags',
name='create_network:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create the network tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_networks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -259,7 +264,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_networks_tags',
name='get_network:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared',
@@ -269,6 +274,11 @@ rules = [
scope_types=['project'],
description='Get the network tags',
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_networks_tags',
check_str=base.ADMIN_OR_PROJECT_READER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -386,11 +396,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_networks_tags',
name='update_network:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update the network tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_networks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -406,11 +421,17 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_networks_tags',
# This should be just "update_network:tags" probably
name='delete_network:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete the network tags',
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_networks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
]

28
neutron/conf/policies/network_segment_range.py
View File

@@ -64,11 +64,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_network_segment_ranges_tags',
name='create_network_segment_range:tags',
check_str=base.ADMIN,
scope_types=['project'],
description='Create the network segment range tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_network_segment_ranges_tags',
check_str=base.ADMIN,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -93,11 +98,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_network_segment_ranges_tags',
name='get_network_segment_range:tags',
check_str=base.ADMIN,
scope_types=['project'],
description='Get the network segment range tags',
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_network_segment_ranges_tags',
check_str=base.ADMIN,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -118,11 +128,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_network_segment_ranges_tags',
name='update_network_segment_range:tags',
check_str=base.ADMIN,
scope_types=['project'],
description='Update the network segment range tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_network_segment_ranges_tags',
check_str=base.ADMIN,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -143,11 +158,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_network_segment_ranges_tags',
name='delete_network_segment_range:tags',
check_str=base.ADMIN,
scope_types=['project'],
description='Delete the network segment range tags',
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_network_segment_ranges_tags',
check_str=base.ADMIN,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
]

42
neutron/conf/policies/port.py
View File

@@ -310,7 +310,7 @@ rules = [
operations=ACTION_POST,
),
policy.DocumentedRuleDefault(
name='create_ports_tags',
name='create_port:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
neutron_policy.RULE_ADVSVC
@@ -318,6 +318,14 @@ rules = [
scope_types=['project'],
description='Create the port tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_ports_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
neutron_policy.RULE_ADVSVC
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -413,7 +421,7 @@ rules = [
operations=ACTION_GET,
),
policy.DocumentedRuleDefault(
name='get_ports_tags',
name='get_port:tags',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.ADMIN_OR_NET_OWNER_READER,
@@ -422,6 +430,15 @@ rules = [
scope_types=['project'],
description='Get the port tags',
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_ports_tags',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.ADMIN_OR_NET_OWNER_READER,
base.PROJECT_READER
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
# TODO(amotoki): Add get_port:binding:vnic_type
# TODO(amotoki): Add get_port:binding:data_plane_status
@@ -678,7 +695,7 @@ rules = [
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_ports_tags',
name='update_port:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
neutron_policy.RULE_ADVSVC
@@ -686,6 +703,14 @@ rules = [
scope_types=['project'],
description='Update the port tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_ports_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
neutron_policy.RULE_ADVSVC
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -707,7 +732,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_ports_tags',
name='delete_port:tags',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.PROJECT_MEMBER,
@@ -716,6 +741,15 @@ rules = [
scope_types=['project'],
description='Delete the port tags',
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_ports_tags',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
)
]

35
neutron/conf/policies/qos.py
View File

@@ -70,14 +70,22 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_policies_tags',
name='get_policy:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_qos_policy'
),
scope_types=['project'],
description='Get QoS policy tags',
operations=ACTION_GET_TAGS
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_policies_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_qos_policy'
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='create_policy',
@@ -97,11 +105,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_policies_tags',
name='create_policy:tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
scope_types=['project'],
description='Create the QoS policy tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_policies_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='update_policy',
@@ -121,11 +134,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_policies_tags',
name='update_policy:tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
scope_types=['project'],
description='Update the QoS policy tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_policies_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='delete_policy',
@@ -145,11 +163,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_policies_tags',
name='delete_policy:tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
scope_types=['project'],
description='Delete the QoS policy tags',
operations=ACTION_DELETE_TAGS
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_policies_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(

28
neutron/conf/policies/router.py
View File

@@ -161,11 +161,16 @@ rules = [
operations=ACTION_POST,
),
policy.DocumentedRuleDefault(
name='create_routers_tags',
name='create_router:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create the router tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_routers_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -205,11 +210,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_routers_tags',
name='get_router:tags',
check_str=base.ADMIN_OR_PROJECT_READER,
scope_types=['project'],
description='Get the router tags',
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_routers_tags',
check_str=base.ADMIN_OR_PROJECT_READER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -316,11 +326,16 @@ rules = [
operations=ACTION_POST,
),
policy.DocumentedRuleDefault(
name='update_routers_tags',
name='update_router:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update the router tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_routers_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
@@ -336,11 +351,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_routers_tags',
name='delete_router:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete the router tags',
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_routers_tags',
check_str=base.ADMIN_OR_PROJECT_MANAGER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(

31
neutron/conf/policies/security_group.py
View File

@@ -96,11 +96,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_security_groups_tags',
name='create_security_group:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create the security group tags',
operations=SG_ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_security_groups_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_security_group',
@@ -127,7 +132,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_security_groups_tags',
name='get_security_group:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_security_group'
@@ -135,6 +140,14 @@ rules = [
scope_types=['project'],
description='Get the security group tags',
operations=SG_ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_security_groups_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_security_group'
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='update_security_group',
@@ -154,11 +167,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_security_groups_tags',
name='update_security_group:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update the security group tags',
operations=SG_ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_security_groups_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='delete_security_group',
@@ -178,11 +196,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_security_groups_tags',
name='delete_security_group:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete the security group tags',
operations=SG_ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_security_groups_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
# TODO(amotoki): admin_or_owner is the right rule?

42
neutron/conf/policies/subnet.py
View File

@@ -102,7 +102,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_subnets_tags',
name='create_subnet:tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
@@ -110,6 +110,14 @@ rules = [
scope_types=['project'],
description='Create the subnet tags',
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_subnet',
@@ -145,7 +153,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_subnets_tags',
name='get_subnet:tags',
check_str=neutron_policy.policy_or(
base.PROJECT_READER,
'rule:shared',
@@ -155,6 +163,16 @@ rules = [
scope_types=['project'],
description='Get the subnet tags',
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_READER,
'rule:shared',
'rule:external_network',
base.ADMIN_OR_NET_OWNER_READER,
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='update_subnet',
@@ -195,7 +213,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_subnets_tags',
name='update_subnet:tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
@@ -203,6 +221,14 @@ rules = [
scope_types=['project'],
description='Update the subnet tags',
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='delete_subnet',
@@ -220,7 +246,7 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_subnets_tags',
name='delete_subnet:tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
@@ -228,6 +254,14 @@ rules = [
scope_types=['project'],
description='Delete the subnet tags',
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_subnets_tags',
check_str=neutron_policy.policy_or(
base.PROJECT_MEMBER,
base.ADMIN_OR_NET_OWNER_MEMBER,
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
]

39
neutron/conf/policies/subnetpool.py
View File

@@ -104,11 +104,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_subnetpools_tags',
name='create_subnetpool:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create the subnetpool tags',
operations=ACTION_POST_TAGS
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_subnetpools_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_subnetpool',
@@ -137,14 +142,22 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_subnetpools_tags',
name='get_subnetpool:tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_subnetpools'
),
scope_types=['project'],
description='Get the subnetpool tags',
operations=ACTION_GET_TAGS
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_subnetpools_tags',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_subnetpools'
),
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='update_subnetpool',
@@ -181,11 +194,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_subnetpools_tags',
name='update_subnetpool:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update the subnetpool tags',
operations=ACTION_PUT_TAGS
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_subnetpools_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='delete_subnetpool',
@@ -205,11 +223,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_subnetpools_tags',
name='delete_subnetpool:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete the subnetpool tags',
operations=ACTION_DELETE_TAGS
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_subnetpools_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='onboard_network_subnets',

36
neutron/conf/policies/trunk.py
View File

@@ -61,11 +61,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='create_trunks_tags',
name='create_trunk:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create the trunk tags',
operations=ACTION_POST_TAGS
operations=ACTION_POST_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='create_trunks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_trunk',
@@ -89,11 +94,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='get_trunks_tags',
name='get_trunk:tags',
check_str=base.ADMIN_OR_PROJECT_READER,
scope_types=['project'],
description='Get the trunk tags',
operations=ACTION_GET_TAGS
operations=ACTION_GET_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='get_trunks_tags',
check_str=base.ADMIN_OR_PROJECT_READER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='update_trunk',
@@ -113,11 +123,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_trunks_tags',
name='update_trunk:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update the trunk tags',
operations=ACTION_PUT_TAGS
operations=ACTION_PUT_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='update_trunks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='delete_trunk',
@@ -137,11 +152,16 @@ rules = [
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='delete_trunks_tags',
name='delete_trunk:tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a trunk',
operations=ACTION_DELETE_TAGS
operations=ACTION_DELETE_TAGS,
deprecated_rule=policy.DeprecatedRule(
name='delete_trunks_tags',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
deprecated_reason="Name of the rule is changed.",
deprecated_since="2025.1")
),
policy.DocumentedRuleDefault(
name='get_subports',

231
neutron/extensions/tagging.py
View File

@@ -17,10 +17,12 @@ import copy
import itertools
import typing
from neutron_lib.api import attributes
from neutron_lib.api.definitions import port
from neutron_lib.api import extensions as api_extensions
from neutron_lib.api import faults
from neutron_lib.api import validators
from neutron_lib import constants
from neutron_lib.db import standard_attr
from neutron_lib import exceptions
from neutron_lib.plugins import directory
@@ -69,7 +71,7 @@ TAG_ATTRIBUTE_MAP_PORTS[TAGS] = {
'validate': {'type:list_of_unique_strings': MAX_TAG_LEN},
'default': [], 'is_visible': True, 'is_filter': True
}
PARENTS = {
OVO_CLS = {
'floatingips': router_obj.FloatingIP,
'network_segment_ranges': network_segment_range_obj.NetworkSegmentRange,
'networks': network_obj.Network,
@@ -77,18 +79,16 @@ PARENTS = {
'ports': ports_obj.Port,
'routers': router_obj.Router,
'security_groups': securitygroup_obj.SecurityGroup,
'subnets': ('networks', subnet_obj.Subnet),
'subnets': subnet_obj.Subnet,
'subnetpools': subnetpool_obj.SubnetPool,
'trunks': trunk_obj.Trunk,
}
ResourceInfo = collections.namedtuple(
'ResourceInfo', ['project_id',
'parent_type',
'parent_id',
'upper_parent_type',
'upper_parent_id',
'obj_type',
'obj',
])
EMPTY_RESOURCE_INFO = ResourceInfo(None, None, None, None, None)
EMPTY_RESOURCE_INFO = ResourceInfo(None, None, None)
class TagResourceNotFound(exceptions.NotFound):
@@ -113,12 +113,12 @@ def validate_tags(body):
raise exceptions.InvalidInput(error_message=msg)
def notify_tag_action(context, action, parent, parent_id, tags=None):
def notify_tag_action(context, action, obj, obj_id, tags=None):
notifier = n_rpc.get_notifier('network')
tag_event = 'tag.%s' % action
# TODO(hichihara): Add 'updated_at' into payload
payload = {'parent_resource': parent,
'parent_resource_id': parent_id}
payload = {'obj_resource': obj,
'obj_resource_id': obj_id}
if tags is not None:
payload['tags'] = tags
notifier.info(context, tag_event, payload)
@@ -129,160 +129,161 @@ class TaggingController:
self.plugin = directory.get_plugin(TAG_PLUGIN_TYPE)
self.supported_resources = TAG_SUPPORTED_RESOURCES
def _get_target(self, res_info):
target = {'id': res_info.parent_id,
'tenant_id': res_info.project_id,
'project_id': res_info.project_id}
if res_info.upper_parent_type:
res_id = (self.supported_resources[res_info.upper_parent_type] +
'_id')
target[res_id] = res_info.upper_parent_id
return target
def _get_resource_info(self, context, kwargs, tags=None):
"""Return the information about the resource with the tag(s)
def _get_resource_info(self, context, kwargs):
"""Return the tag parent resource information
Some parent resources, like the subnets, depend on other upper parent
resources (networks). In that case, it is needed to provide the upper
parent resource information.
:param kwargs: dictionary with the parent resource ID, along with other
information not needed. It is formated as
:param kwargs: dictionary with the resource ID, along with other
information. It is formated as
{"resource_id": "id", ...}
:return: ``ResourceInfo`` named tuple with the parent and upper parent
information and the project ID (of the parent or upper
parent).
:param tags: list of the tags which will be set for the resource
:return: ``ResourceInfo`` named tuple with the object's type,
object's information in the dict and the project ID
"""
for key, parent_type in itertools.product(
for key, obj_type in itertools.product(
kwargs.keys(), self.supported_resources.keys()):
if key != self.supported_resources[parent_type] + '_id':
if key != self.supported_resources[obj_type] + '_id':
continue
parent_id = kwargs[key]
parent_obj = PARENTS[parent_type]
if isinstance(parent_obj, tuple):
upper_parent_type = parent_obj[0]
parent_obj = parent_obj[1]
res_id = (self.supported_resources[upper_parent_type] +
'_id')
upper_parent_id = parent_obj.get_values(
context.elevated(), res_id, id=parent_id)[0]
else:
upper_parent_type = upper_parent_id = None
obj_id = kwargs[key]
obj_class = OVO_CLS[obj_type]
try:
project_id = parent_obj.get_values(
context.elevated(), 'project_id', id=parent_id)[0]
field_list = []
for attr_name, attr_config in \
attributes.RESOURCES[obj_type].items():
if (attr_config.get('required_by_policy') or
attr_config.get('primary_key') or
'default' not in attr_config):
field_list.append(attr_name)
obj_dict = {
constants.ATTRIBUTES_TO_UPDATE: [TAGS]
}
if tags is not None:
obj_dict[TAGS] = tags
obj = obj_class.get_object(context.elevated(), id=obj_id,
fields=field_list)
if not obj:
return EMPTY_RESOURCE_INFO
for f_name, f_value in obj.to_dict().items():
if f_name in field_list:
obj_dict[f_name] = f_value
project_id = obj_dict.get('project_id')
if not project_id:
project_id = obj_dict.get('tenant_id')
obj_dict['project_id'] = project_id
except IndexError:
return EMPTY_RESOURCE_INFO
return ResourceInfo(project_id, parent_type, parent_id,
upper_parent_type, upper_parent_id)
return ResourceInfo(project_id, obj_type, obj_dict)
# This should never be returned.
return EMPTY_RESOURCE_INFO
def _get_policy_action(self, base_action, obj_type):
return "{}_{}:{}".format(
base_action,
self.supported_resources[obj_type],
TAGS)
def index(self, request, **kwargs):
# GET /v2.0/{parent_resource}/{parent_resource_id}/tags
# GET /v2.0/{obj_resource}/{obj_resource_id}/tags
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS),
target)
return self.plugin.get_tags(ctx, rinfo.parent_type, rinfo.parent_id)
policy.enforce(ctx, 'get_{}_{}'.format(rinfo.obj_type, TAGS),
rinfo.obj)
return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
def show(self, request, id, **kwargs):
# GET /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag}
# GET /v2.0/{obj_resource}/{obj_resource_id}/tags/{tag}
# id == tag
validate_tag(id)
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'get_{}_{}'.format(rinfo.parent_type, TAGS),
target)
return self.plugin.get_tag(ctx, rinfo.parent_type, rinfo.parent_id, id)
policy.enforce(ctx, 'get_{}:{}'.format(rinfo.obj_type, TAGS),
rinfo.obj)
return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
def create(self, request, body, **kwargs):
# POST /v2.0/{parent_resource}/{parent_resource_id}/tags
# POST /v2.0/{obj_resource}/{obj_resource_id}/tags
# body: {"tags": ["aaa", "bbb"]}
validate_tags(body)
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'create_{}_{}'.format(rinfo.parent_type, TAGS),
target)
notify_tag_action(ctx, 'create.start', rinfo.parent_type,
rinfo.parent_id, body['tags'])
result = self.plugin.create_tags(ctx, rinfo.parent_type,
rinfo.parent_id, body)
notify_tag_action(ctx, 'create.end', rinfo.parent_type,
rinfo.parent_id, body['tags'])
rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
policy.enforce(ctx, 'create_{}:{}'.format(rinfo.obj_type, TAGS),
rinfo.obj)
notify_tag_action(ctx, 'create.start', rinfo.obj_type,
rinfo.obj['id'], body['tags'])
result = self.plugin.create_tags(ctx, rinfo.obj_type,
rinfo.obj['id'], body)
notify_tag_action(ctx, 'create.end', rinfo.obj_type,
rinfo.obj['id'], body['tags'])
return result
def update(self, request, id, **kwargs):
# PUT /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag}
# PUT /v2.0/{obj_resource}/{obj_resource_id}/tags/{tag}
# id == tag
validate_tag(id)
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS),
target)
notify_tag_action(ctx, 'create.start', rinfo.parent_type,
rinfo.parent_id, [id])
result = self.plugin.update_tag(ctx, rinfo.parent_type,
rinfo.parent_id, id)
notify_tag_action(ctx, 'create.end', rinfo.parent_type,
rinfo.parent_id, [id])
rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
policy.enforce(ctx, 'update_{}:{}'.format(rinfo.obj_type, TAGS),
rinfo.obj)
notify_tag_action(ctx, 'create.start', rinfo.obj_type,
rinfo.obj['id'], [id])
result = self.plugin.update_tag(ctx, rinfo.obj_type,
rinfo.obj['id'], id)
notify_tag_action(ctx, 'create.end', rinfo.obj_type,
rinfo.obj['id'], [id])
return result
def update_all(self, request, body, **kwargs):
# PUT /v2.0/{parent_resource}/{parent_resource_id}/tags
# PUT /v2.0/{obj_resource}/{obj_resource_id}/tags
# body: {"tags": ["aaa", "bbb"]}
validate_tags(body)
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'update_{}_{}'.format(rinfo.parent_type, TAGS),
target)
notify_tag_action(ctx, 'update.start', rinfo.parent_type,
rinfo.parent_id, body['tags'])
result = self.plugin.update_tags(ctx, rinfo.parent_type,
rinfo.parent_id, body)
notify_tag_action(ctx, 'update.end', rinfo.parent_type,
rinfo.parent_id, body['tags'])
rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
policy.enforce(
ctx,
self._get_policy_action("update", rinfo.obj_type),
rinfo.obj)
notify_tag_action(ctx, 'update.start', rinfo.obj_type,
rinfo.obj['id'], body['tags'])
result = self.plugin.update_tags(ctx, rinfo.obj_type,
rinfo.obj['id'], body)
notify_tag_action(ctx, 'update.end', rinfo.obj_type,
rinfo.obj['id'], body['tags'])
return result
def delete(self, request, id, **kwargs):
# DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags/{tag}
# DELETE /v2.0/{obj_resource}/{obj_resource_id}/tags/{tag}
# id == tag
validate_tag(id)
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS),
target)
notify_tag_action(ctx, 'delete.start', rinfo.parent_type,
rinfo.parent_id, [id])
result = self.plugin.delete_tag(ctx, rinfo.parent_type,
rinfo.parent_id, id)
notify_tag_action(ctx, 'delete.end', rinfo.parent_type,
rinfo.parent_id, [id])
policy.enforce(
ctx,
self._get_policy_action("delete", rinfo.obj_type),
rinfo.obj)
notify_tag_action(ctx, 'delete.start', rinfo.obj_type,
rinfo.obj['id'], [id])
result = self.plugin.delete_tag(ctx, rinfo.obj_type,
rinfo.obj['id'], id)
notify_tag_action(ctx, 'delete.end', rinfo.obj_type,
rinfo.obj['id'], [id])
return result
def delete_all(self, request, **kwargs):
# DELETE /v2.0/{parent_resource}/{parent_resource_id}/tags
# DELETE /v2.0/{obj_resource}/{obj_resource_id}/tags
ctx = request.context
rinfo = self._get_resource_info(ctx, kwargs)
target = self._get_target(rinfo)
policy.enforce(ctx, 'delete_{}_{}'.format(rinfo.parent_type, TAGS),
target)
notify_tag_action(ctx, 'delete_all.start', rinfo.parent_type,
rinfo.parent_id)
result = self.plugin.delete_tags(ctx, rinfo.parent_type,
rinfo.parent_id)
notify_tag_action(ctx, 'delete_all.end', rinfo.parent_type,
rinfo.parent_id)
policy.enforce(
ctx,
self._get_policy_action("delete", rinfo.obj_type),
rinfo.obj)
notify_tag_action(ctx, 'delete_all.start', rinfo.obj_type,
rinfo.obj['id'])
result = self.plugin.delete_tags(ctx, rinfo.obj_type,
rinfo.obj['id'])
notify_tag_action(ctx, 'delete_all.end', rinfo.obj_type,
rinfo.obj['id'])
return result
@@ -324,10 +325,10 @@ class Tagging(api_extensions.ExtensionDescriptor):
for collection_name, member_name in TAG_SUPPORTED_RESOURCES.items():
if 'security_group' in collection_name:
collection_name = collection_name.replace('_', '-')
parent = {'member_name': member_name,
'collection_name': collection_name}
obj = {'member_name': member_name,
'collection_name': collection_name}
exts.append(extensions.ResourceExtension(
TAGS, controller, parent,
TAGS, controller, obj,
collection_methods=collection_methods))
return exts

5
neutron/policy.py
View File

@@ -99,7 +99,10 @@ def get_resource_and_action(action, pluralized=None):
resource and action extracted from api operation.
"""
data = action.split(':', 1)[0].split('_', 1)
resource = pluralized or ("%ss" % data[-1])
if "tags" in data[-1]:
resource = data[-1].replace("_tags", "")
else:
resource = pluralized or ("%ss" % data[-1])
enforce_attr_based_check = data[0] not in ('get', 'delete')
return (resource, enforce_attr_based_check)

70
neutron/tests/unit/conf/policies/test_floatingip.py
View File

@@ -59,16 +59,16 @@ class SystemAdminTests(FloatingIPAPITestCase):
self.context, "create_floatingip:floating_ip_address",
self.alt_target)
def test_create_floatingips_tags(self):
def test_create_floatingip_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "create_floatingips_tags",
self.context, "create_floatingip:tags",
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "create_floatingips_tags",
self.context, "create_floatingip:tags",
self.alt_target)
def test_get_floatingip(self):
@@ -81,15 +81,15 @@ class SystemAdminTests(FloatingIPAPITestCase):
policy.enforce,
self.context, "get_floatingip", self.alt_target)
def test_get_floatingips_tags(self):
def test_get_floatingip_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "get_floatingips_tags", self.target)
self.context, "get_floatingip:tags", self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "get_floatingips_tags", self.alt_target)
self.context, "get_floatingip:tags", self.alt_target)
def test_update_floatingip(self):
self.assertRaises(
@@ -101,15 +101,15 @@ class SystemAdminTests(FloatingIPAPITestCase):
policy.enforce,
self.context, "update_floatingip", self.alt_target)
def test_update_floatingips_tags(self):
def test_update_floatingip_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "update_floatingips_tags", self.target)
self.context, "update_floatingip:tags", self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, "update_floatingips_tags", self.alt_target)
self.context, "update_floatingip:tags", self.alt_target)
def test_delete_floatingip(self):
self.assertRaises(
@@ -158,12 +158,12 @@ class AdminTests(FloatingIPAPITestCase):
self.context,
"create_floatingip:floating_ip_address", self.alt_target))
def test_create_floatingips_tags(self):
def test_create_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "create_floatingips_tags",
policy.enforce(self.context, "create_floatingip:tags",
self.target))
self.assertTrue(
policy.enforce(self.context, "create_floatingips_tags",
policy.enforce(self.context, "create_floatingip:tags",
self.alt_target))
def test_get_floatingip(self):
@@ -172,11 +172,11 @@ class AdminTests(FloatingIPAPITestCase):
self.assertTrue(
policy.enforce(self.context, "get_floatingip", self.alt_target))
def test_get_floatingips_tags(self):
def test_get_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "get_floatingips_tags", self.target))
policy.enforce(self.context, "get_floatingip:tags", self.target))
self.assertTrue(
policy.enforce(self.context, "get_floatingips_tags",
policy.enforce(self.context, "get_floatingip:tags",
self.alt_target))
def test_update_floatingip(self):
@@ -185,12 +185,12 @@ class AdminTests(FloatingIPAPITestCase):
self.assertTrue(
policy.enforce(self.context, "update_floatingip", self.alt_target))
def test_update_floatingips_tags(self):
def test_update_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "update_floatingips_tags",
policy.enforce(self.context, "update_floatingip:tags",
self.target))
self.assertTrue(
policy.enforce(self.context, "update_floatingips_tags",
policy.enforce(self.context, "update_floatingip:tags",
self.alt_target))
def test_delete_floatingip(self):
@@ -223,14 +223,14 @@ class ProjectManagerTests(AdminTests):
self.context, "create_floatingip:floating_ip_address",
self.alt_target)
def test_create_floatingips_tags(self):
def test_create_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "create_floatingips_tags",
policy.enforce(self.context, "create_floatingip:tags",
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "create_floatingips_tags", self.alt_target)
self.context, "create_floatingip:tags", self.alt_target)
def test_get_floatingip(self):
self.assertTrue(
@@ -239,12 +239,12 @@ class ProjectManagerTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, "get_floatingip", self.alt_target)
def test_get_floatingips_tags(self):
def test_get_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "get_floatingips_tags", self.target))
policy.enforce(self.context, "get_floatingip:tags", self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, "get_floatingips_tags",
policy.enforce, self.context, "get_floatingip:tags",
self.alt_target)
def test_update_floatingip(self):
@@ -254,13 +254,13 @@ class ProjectManagerTests(AdminTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, "update_floatingip", self.alt_target)
def test_update_floatingips_tags(self):
def test_update_floatingip_tags(self):
self.assertTrue(
policy.enforce(self.context, "update_floatingips_tags",
policy.enforce(self.context, "update_floatingip:tags",
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, "update_floatingips_tags",
policy.enforce, self.context, "update_floatingip:tags",
self.alt_target)
def test_delete_floatingip(self):
@@ -306,15 +306,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, "create_floatingip", self.alt_target)
def test_create_floatingips_tags(self):
def test_create_floatingip_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "create_floatingips_tags", self.target)
self.context, "create_floatingip:tags", self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "create_floatingips_tags", self.alt_target)
self.context, "create_floatingip:tags", self.alt_target)
def test_update_floatingip(self):
self.assertRaises(
@@ -326,15 +326,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, "update_floatingip", self.alt_target)
def test_update_floatingips_tags(self):
def test_update_floatingip_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "update_floatingips_tags", self.target)
self.context, "update_floatingip:tags", self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "update_floatingips_tags", self.alt_target)
self.context, "update_floatingip:tags", self.alt_target)
def test_delete_floatingip(self):
self.assertRaises(
@@ -366,11 +366,11 @@ class ServiceRoleTests(FloatingIPAPITestCase):
self.context, "create_floatingip:floating_ip_address",
self.target)
def test_create_floatingips_tags(self):
def test_create_floatingip_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, "create_floatingips_tags", self.target)
self.context, "create_floatingip:tags", self.target)
def test_get_floatingip(self):
self.assertRaises(

94
neutron/tests/unit/conf/policies/test_network.py
View File

@@ -128,13 +128,13 @@ class SystemAdminTests(NetworkAPITestCase):
self.context, 'create_network:provider:segmentation_id',
self.alt_target)
def test_create_networks_tags(self):
def test_create_network_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_networks_tags', self.target)
policy.enforce, self.context, 'create_network:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_networks_tags',
policy.enforce, self.context, 'create_network:tags',
self.alt_target)
def test_get_network(self):
@@ -193,16 +193,16 @@ class SystemAdminTests(NetworkAPITestCase):
self.context, 'get_network:provider:segmentation_id',
self.alt_target)
def test_get_networks_tags(self):
def test_get_network_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_networks_tags',
self.context, 'get_network:tags',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_networks_tags',
self.context, 'get_network:tags',
self.alt_target)
def test_update_network(self):
@@ -300,13 +300,13 @@ class SystemAdminTests(NetworkAPITestCase):
self.context, 'update_network:port_security_enabled',
self.alt_target)
def test_update_networks_tags(self):
def test_update_network_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_networks_tags', self.target)
policy.enforce, self.context, 'update_network:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_networks_tags',
policy.enforce, self.context, 'update_network:tags',
self.alt_target)
def test_delete_network(self):
@@ -317,13 +317,13 @@ class SystemAdminTests(NetworkAPITestCase):
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_network', self.alt_target)
def test_delete_networks_tags(self):
def test_delete_network_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_networks_tags', self.target)
policy.enforce, self.context, 'delete_network:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_networks_tags',
policy.enforce, self.context, 'delete_network:tags',
self.alt_target)
@@ -424,11 +424,11 @@ class AdminTests(NetworkAPITestCase):
'create_network:provider:segmentation_id',
self.alt_target))
def test_create_networks_tags(self):
def test_create_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_networks_tags', self.target))
policy.enforce(self.context, 'create_network:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_networks_tags',
policy.enforce(self.context, 'create_network:tags',
self.alt_target))
def test_get_network(self):
@@ -467,11 +467,11 @@ class AdminTests(NetworkAPITestCase):
'get_network:provider:segmentation_id',
self.alt_target))
def test_get_networks_tags(self):
def test_get_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_networks_tags', self.target))
policy.enforce(self.context, 'get_network:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_networks_tags', self.alt_target))
policy.enforce(self.context, 'get_network:tags', self.alt_target))
def test_update_network(self):
self.assertTrue(
@@ -550,11 +550,11 @@ class AdminTests(NetworkAPITestCase):
'update_network:port_security_enabled',
self.alt_target))
def test_update_networks_tags(self):
def test_update_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_networks_tags', self.target))
policy.enforce(self.context, 'update_network:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'update_networks_tags',
policy.enforce(self.context, 'update_network:tags',
self.alt_target))
def test_delete_network(self):
@@ -563,11 +563,11 @@ class AdminTests(NetworkAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'delete_network', self.alt_target))
def test_delete_networks_tags(self):
def test_delete_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_networks_tags', self.target))
policy.enforce(self.context, 'delete_network:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_networks_tags',
policy.enforce(self.context, 'delete_network:tags',
self.alt_target))
@@ -671,13 +671,13 @@ class ProjectManagerTests(AdminTests):
self.context, 'create_network:provider:segmentation_id',
self.alt_target)
def test_create_networks_tags(self):
def test_create_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_networks_tags', self.target))
policy.enforce(self.context, 'create_network:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_networks_tags', self.alt_target)
self.context, 'create_network:tags', self.alt_target)
def test_get_network(self):
self.assertTrue(
@@ -731,13 +731,13 @@ class ProjectManagerTests(AdminTests):
self.context, 'get_network:provider:segmentation_id',
self.alt_target)
def test_get_networks_tags(self):
def test_get_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_networks_tags', self.target))
policy.enforce(self.context, 'get_network:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_networks_tags', self.alt_target)
self.context, 'get_network:tags', self.alt_target)
def test_update_network(self):
self.assertTrue(
@@ -833,13 +833,13 @@ class ProjectManagerTests(AdminTests):
self.context, 'update_network:port_security_enabled',
self.alt_target)
def test_update_networks_tags(self):
def test_update_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_networks_tags', self.target))
policy.enforce(self.context, 'update_network:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_networks_tags', self.alt_target)
self.context, 'update_network:tags', self.alt_target)
def test_delete_network(self):
self.assertTrue(
@@ -849,13 +849,13 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'delete_network', self.alt_target)
def test_delete_networks_tags(self):
def test_delete_network_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_networks_tags', self.target))
policy.enforce(self.context, 'delete_network:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_networks_tags', self.alt_target)
self.context, 'delete_network:tags', self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
@@ -891,13 +891,13 @@ class ProjectReaderTests(ProjectMemberTests):
self.context, 'create_network:port_security_enabled',
self.alt_target)
def test_create_networks_tags(self):
def test_create_network_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_networks_tags', self.target)
policy.enforce, self.context, 'create_network:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_networks_tags',
policy.enforce, self.context, 'create_network:tags',
self.alt_target)
def test_update_network(self):
@@ -920,13 +920,13 @@ class ProjectReaderTests(ProjectMemberTests):
self.context, 'update_network:port_security_enabled',
self.alt_target)
def test_update_networks_tags(self):
def test_update_network_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_networks_tags', self.target)
policy.enforce, self.context, 'update_network:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_networks_tags',
policy.enforce, self.context, 'update_network:tags',
self.alt_target)
def test_delete_network(self):
@@ -937,13 +937,13 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_network', self.alt_target)
def test_delete_networks_tags(self):
def test_delete_network_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_networks_tags', self.target)
policy.enforce, self.context, 'delete_network:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_networks_tags',
policy.enforce, self.context, 'delete_network:tags',
self.alt_target)
@@ -1009,10 +1009,10 @@ class ServiceRoleTests(NetworkAPITestCase):
self.context, 'create_network:provider:segmentation_id',
self.target)
def test_create_networks_tags(self):
def test_create_network_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_networks_tags', self.target)
policy.enforce, self.context, 'create_network:tags', self.target)
def test_get_network(self):
self.assertTrue(

52
neutron/tests/unit/conf/policies/test_network_segment_range.py
View File

@@ -38,11 +38,11 @@ class SystemAdminTests(NetworkSegmentRangeAPITestCase):
policy.enforce,
self.context, 'create_network_segment_range', self.target)
def test_create_network_segment_ranges_tags(self):
def test_create_network_segment_range_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_network_segment_ranges_tags', self.target)
self.context, 'create_network_segment_range:tags', self.target)
def test_get_network_segment_range(self):
self.assertRaises(
@@ -50,11 +50,11 @@ class SystemAdminTests(NetworkSegmentRangeAPITestCase):
policy.enforce,
self.context, 'get_network_segment_range', self.target)
def test_get_network_segment_ranges_tags(self):
def test_get_network_segment_range_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_network_segment_ranges_tags', self.target)
self.context, 'get_network_segment_range:tags', self.target)
def test_update_network_segment_range(self):
self.assertRaises(
@@ -62,11 +62,11 @@ class SystemAdminTests(NetworkSegmentRangeAPITestCase):
policy.enforce,
self.context, 'update_network_segment_range', self.target)
def test_update_network_segment_ranges_tags(self):
def test_update_network_segment_range_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_network_segment_ranges_tags', self.target)
self.context, 'update_network_segment_range:tags', self.target)
def test_delete_network_segment_range(self):
self.assertRaises(
@@ -74,11 +74,11 @@ class SystemAdminTests(NetworkSegmentRangeAPITestCase):
policy.enforce,
self.context, 'delete_network_segment_range', self.target)
def test_delete_network_segment_ranges_tags(self):
def test_delete_network_segment_range_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_network_segment_ranges_tags', self.target)
self.context, 'delete_network_segment_range:tags', self.target)
class SystemMemberTests(SystemAdminTests):
@@ -106,40 +106,40 @@ class AdminTests(NetworkSegmentRangeAPITestCase):
policy.enforce(self.context,
'create_network_segment_range', self.target))
def test_create_network_segment_ranges_tags(self):
def test_create_network_segment_range_tags(self):
self.assertTrue(
policy.enforce(self.context,
'create_network_segment_ranges_tags', self.target))
'create_network_segment_range:tags', self.target))
def test_get_network_segment_range(self):
self.assertTrue(
policy.enforce(self.context,
'get_network_segment_range', self.target))
def test_get_network_segment_ranges_tags(self):
def test_get_network_segment_range_tags(self):
self.assertTrue(
policy.enforce(self.context,
'get_network_segment_ranges_tags', self.target))
'get_network_segment_range:tags', self.target))
def test_update_network_segment_range(self):
self.assertTrue(
policy.enforce(self.context,
'update_network_segment_range', self.target))
def test_update_network_segment_ranges_tags(self):
def test_update_network_segment_range_tags(self):
self.assertTrue(
policy.enforce(self.context,
'update_network_segment_ranges_tags', self.target))
'update_network_segment_range:tags', self.target))
def test_delete_network_segment_range(self):
self.assertTrue(
policy.enforce(self.context,
'delete_network_segment_range', self.target))
def test_delete_network_segment_ranges_tags(self):
def test_delete_network_segment_range_tags(self):
self.assertTrue(
policy.enforce(self.context,
'delete_network_segment_ranges_tags', self.target))
'delete_network_segment_range:tags', self.target))
class ProjectManagerTests(AdminTests):
@@ -154,11 +154,11 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'create_network_segment_range', self.target)
def test_create_network_segment_ranges_tags(self):
def test_create_network_segment_range_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_network_segment_ranges_tags', self.target)
self.context, 'create_network_segment_range:tags', self.target)
def test_get_network_segment_range(self):
self.assertRaises(
@@ -166,11 +166,11 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'get_network_segment_range', self.target)
def test_get_network_segment_ranges_tags(self):
def test_get_network_segment_range_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_network_segment_ranges_tags', self.target)
self.context, 'get_network_segment_range:tags', self.target)
def test_update_network_segment_range(self):
self.assertRaises(
@@ -178,11 +178,11 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'update_network_segment_range', self.target)
def test_update_network_segment_ranges_tags(self):
def test_update_network_segment_range_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_network_segment_ranges_tags', self.target)
self.context, 'update_network_segment_range:tags', self.target)
def test_delete_network_segment_range(self):
self.assertRaises(
@@ -190,11 +190,11 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'delete_network_segment_range', self.target)
def test_delete_network_segment_ranges_tags(self):
def test_delete_network_segment_range_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_network_segment_ranges_tags', self.target)
self.context, 'delete_network_segment_range:tags', self.target)
class ProjectMemberTests(ProjectManagerTests):
@@ -223,11 +223,11 @@ class ServiceRoleTests(NetworkSegmentRangeAPITestCase):
policy.enforce,
self.context, 'create_network_segment_range', self.target)
def test_create_network_segment_ranges_tags(self):
def test_create_network_segment_range_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_network_segment_ranges_tags', self.target)
self.context, 'create_network_segment_range:tags', self.target)
def test_get_network_segment_range(self):
self.assertRaises(

58
neutron/tests/unit/conf/policies/test_port.py
View File

@@ -188,13 +188,13 @@ class SystemAdminTests(PortAPITestCase):
self.context, 'create_port:allowed_address_pairs:ip_address',
self.alt_target)
def test_create_ports_tags(self):
def test_create_port_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_ports_tags', self.target)
policy.enforce, self.context, 'create_port:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_ports_tags', self.alt_target)
policy.enforce, self.context, 'create_port:tags', self.alt_target)
def test_get_port(self):
self.assertRaises(
@@ -254,13 +254,13 @@ class SystemAdminTests(PortAPITestCase):
policy.enforce, self.context, 'get_port:resource_request',
self.alt_target)
def test_get_ports_tags(self):
def test_get_port_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_ports_tags', self.target)
policy.enforce, self.context, 'get_port:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_ports_tags', self.alt_target)
policy.enforce, self.context, 'get_port:tags', self.alt_target)
def test_update_port(self):
self.assertRaises(
@@ -570,11 +570,11 @@ class AdminTests(PortAPITestCase):
'create_port:trusted',
self.alt_target))
def test_create_ports_tags(self):
def test_create_port_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_ports_tags', self.target))
policy.enforce(self.context, 'create_port:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_ports_tags', self.alt_target))
policy.enforce(self.context, 'create_port:tags', self.alt_target))
def test_get_port(self):
self.assertTrue(
@@ -638,11 +638,11 @@ class AdminTests(PortAPITestCase):
policy.enforce(
self.context, 'get_port:trusted', self.alt_target))
def test_get_ports_tags(self):
def test_get_port_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_ports_tags', self.target))
policy.enforce(self.context, 'get_port:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_ports_tags', self.alt_target))
policy.enforce(self.context, 'get_port:tags', self.alt_target))
def test_update_port(self):
self.assertTrue(
@@ -953,12 +953,12 @@ class ProjectManagerTests(AdminTests):
self.context, 'create_port:trusted',
self.alt_target)
def test_create_ports_tags(self):
def test_create_port_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_ports_tags', self.target))
policy.enforce(self.context, 'create_port:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_ports_tags', self.alt_target)
policy.enforce, self.context, 'create_port:tags', self.alt_target)
def test_get_port(self):
self.assertTrue(
@@ -1037,12 +1037,12 @@ class ProjectManagerTests(AdminTests):
policy.enforce, self.context, 'get_port:trusted',
self.alt_target)
def test_get_ports_tags(self):
def test_get_port_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_ports_tags', self.target))
policy.enforce(self.context, 'get_port:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_ports_tags', self.alt_target)
policy.enforce, self.context, 'get_port:tags', self.alt_target)
def test_update_port(self):
self.assertTrue(
@@ -1201,12 +1201,12 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'update_port:trusted', self.alt_target)
def test_update_ports_tags(self):
def test_update_port_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_ports_tags', self.target))
policy.enforce(self.context, 'update_port:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_ports_tags', self.alt_target)
policy.enforce, self.context, 'update_port:tags', self.alt_target)
def test_delete_port(self):
self.assertTrue(
@@ -1447,13 +1447,13 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce, self.context, 'create_port:binding:vnic_type',
self.alt_target)
def test_create_ports_tags(self):
def test_create_port_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_ports_tags', self.target)
policy.enforce, self.context, 'create_port:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_ports_tags', self.alt_target)
policy.enforce, self.context, 'create_port:tags', self.alt_target)
def test_update_port(self):
self.assertRaises(
@@ -1473,13 +1473,13 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce, self.context, 'update_port:binding:vnic_type',
self.alt_target)
def test_update_ports_tags(self):
def test_update_port_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_ports_tags', self.target)
policy.enforce, self.context, 'update_port:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_ports_tags', self.alt_target)
policy.enforce, self.context, 'update_port:tags', self.alt_target)
def test_delete_port(self):
self.assertRaises(
@@ -1567,11 +1567,11 @@ class ServiceRoleTests(PortAPITestCase):
self.context, 'create_port:allowed_address_pairs:ip_address',
self.target)
def test_create_ports_tags(self):
def test_create_port_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_ports_tags',
self.context, 'create_port:tags',
self.target)
def test_get_port(self):

112
neutron/tests/unit/conf/policies/test_qos.py
View File

@@ -44,13 +44,13 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase):
base_policy.InvalidScope,
policy.enforce, self.context, 'get_policy', self.alt_target)
def test_get_policies_tags(self):
def test_get_policy_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_policies_tags', self.target)
policy.enforce, self.context, 'get_policy:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_policies_tags', self.alt_target)
policy.enforce, self.context, 'get_policy:tags', self.alt_target)
def test_create_policy(self):
self.assertRaises(
@@ -60,13 +60,13 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase):
base_policy.InvalidScope,
policy.enforce, self.context, 'create_policy', self.alt_target)
def test_create_policies_tags(self):
def test_create_policy_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_policies_tags', self.target)
policy.enforce, self.context, 'create_policy:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_policies_tags',
policy.enforce, self.context, 'create_policy:tags',
self.alt_target)
def test_update_policy(self):
@@ -77,13 +77,13 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase):
base_policy.InvalidScope,
policy.enforce, self.context, 'update_policy', self.alt_target)
def test_update_policies_tags(self):
def test_update_policy_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_policies_tags', self.target)
policy.enforce, self.context, 'update_policy:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_policies_tags',
policy.enforce, self.context, 'update_policy:tags',
self.alt_target)
def test_delete_policy(self):
@@ -94,13 +94,13 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase):
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_policy', self.alt_target)
def test_delete_policies_tags(self):
def test_delete_policy_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_policies_tags', self.target)
policy.enforce, self.context, 'delete_policy:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_policies_tags',
policy.enforce, self.context, 'delete_policy:tags',
self.alt_target)
@@ -130,11 +130,11 @@ class AdminQosPolicyTests(QosPolicyAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'get_policy', self.alt_target))
def test_get_policies_tags(self):
def test_get_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_policies_tags', self.target))
policy.enforce(self.context, 'get_policy:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_policies_tags', self.alt_target))
policy.enforce(self.context, 'get_policy:tags', self.alt_target))
def test_create_policy(self):
self.assertTrue(
@@ -142,11 +142,11 @@ class AdminQosPolicyTests(QosPolicyAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'create_policy', self.alt_target))
def test_create_policies_tags(self):
def test_create_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_policies_tags', self.target))
policy.enforce(self.context, 'create_policy:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_policies_tags',
policy.enforce(self.context, 'create_policy:tags',
self.alt_target))
def test_update_policy(self):
@@ -155,11 +155,11 @@ class AdminQosPolicyTests(QosPolicyAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'update_policy', self.alt_target))
def test_update_policies_tags(self):
def test_update_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_policies_tags', self.target))
policy.enforce(self.context, 'update_policy:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'update_policies_tags',
policy.enforce(self.context, 'update_policy:tags',
self.alt_target))
def test_delete_policy(self):
@@ -168,11 +168,11 @@ class AdminQosPolicyTests(QosPolicyAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'delete_policy', self.alt_target))
def test_delete_policies_tags(self):
def test_delete_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_policies_tags', self.target))
policy.enforce(self.context, 'delete_policy:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_policies_tags',
policy.enforce(self.context, 'delete_policy:tags',
self.alt_target))
@@ -189,12 +189,12 @@ class ProjectManagerQosPolicyTests(AdminQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policy', self.alt_target)
def test_get_policies_tags(self):
def test_get_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_policies_tags', self.target))
policy.enforce(self.context, 'get_policy:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policies_tags',
policy.enforce, self.context, 'get_policy:tags',
self.alt_target)
def test_create_policy(self):
@@ -204,12 +204,12 @@ class ProjectManagerQosPolicyTests(AdminQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policy', self.alt_target)
def test_create_policies_tags(self):
def test_create_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_policies_tags', self.target))
policy.enforce(self.context, 'create_policy:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policies_tags',
policy.enforce, self.context, 'create_policy:tags',
self.alt_target)
def test_update_policy(self):
@@ -219,12 +219,12 @@ class ProjectManagerQosPolicyTests(AdminQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policy', self.alt_target)
def test_update_policies_tags(self):
def test_update_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_policies_tags', self.target))
policy.enforce(self.context, 'update_policy:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policies_tags',
policy.enforce, self.context, 'update_policy:tags',
self.alt_target)
def test_delete_policy(self):
@@ -234,12 +234,12 @@ class ProjectManagerQosPolicyTests(AdminQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policy', self.alt_target)
def test_delete_policies_tags(self):
def test_delete_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_policies_tags', self.target))
policy.enforce(self.context, 'delete_policy:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policies_tags',
policy.enforce, self.context, 'delete_policy:tags',
self.alt_target)
@@ -256,12 +256,12 @@ class ProjectMemberQosPolicyTests(ProjectManagerQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policy', self.alt_target)
def test_get_policies_tags(self):
def test_get_policy_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_policies_tags', self.target))
policy.enforce(self.context, 'get_policy:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policies_tags',
policy.enforce, self.context, 'get_policy:tags',
self.alt_target)
def test_create_policy(self):
@@ -272,13 +272,13 @@ class ProjectMemberQosPolicyTests(ProjectManagerQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policy', self.alt_target)
def test_create_policies_tags(self):
def test_create_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policies_tags', self.target)
policy.enforce, self.context, 'create_policy:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policies_tags',
policy.enforce, self.context, 'create_policy:tags',
self.alt_target)
def test_update_policy(self):
@@ -289,13 +289,13 @@ class ProjectMemberQosPolicyTests(ProjectManagerQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policy', self.alt_target)
def test_update_policies_tags(self):
def test_update_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policies_tags', self.target)
policy.enforce, self.context, 'update_policy:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policies_tags',
policy.enforce, self.context, 'update_policy:tags',
self.alt_target)
def test_delete_policy(self):
@@ -306,13 +306,13 @@ class ProjectMemberQosPolicyTests(ProjectManagerQosPolicyTests):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policy', self.alt_target)
def test_delete_policies_tags(self):
def test_delete_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policies_tags', self.target)
policy.enforce, self.context, 'delete_policy:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policies_tags',
policy.enforce, self.context, 'delete_policy:tags',
self.alt_target)
@@ -334,40 +334,40 @@ class ServiceRoleQosPolicyTests(QosPolicyAPITestCase):
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policy', self.target)
def test_get_policies_tags(self):
def test_get_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_policies_tags', self.target)
policy.enforce, self.context, 'get_policy:tags', self.target)
def test_create_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policy', self.target)
def test_create_policies_tags(self):
def test_create_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_policies_tags', self.target)
policy.enforce, self.context, 'create_policy:tags', self.target)
def test_update_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policy', self.target)
def test_update_policies_tags(self):
def test_update_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_policies_tags', self.target)
policy.enforce, self.context, 'update_policy:tags', self.target)
def test_delete_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policy', self.target)
def test_delete_policies_tags(self):
def test_delete_policy_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_policies_tags', self.target)
policy.enforce, self.context, 'delete_policy:tags', self.target)
class QosRuleTypeAPITestCase(base.PolicyBaseTestCase):

94
neutron/tests/unit/conf/policies/test_router.py
View File

@@ -138,15 +138,15 @@ class SystemAdminTests(RouterAPITestCase):
self.context, 'create_router:enable_default_route_ecmp',
self.alt_target)
def test_create_routers_tags(self):
def test_create_router_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_routers_tags', self.target)
self.context, 'create_router:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_routers_tags', self.alt_target)
self.context, 'create_router:tags', self.alt_target)
def test_get_router(self):
self.assertRaises(
@@ -178,15 +178,15 @@ class SystemAdminTests(RouterAPITestCase):
policy.enforce,
self.context, 'get_router:ha', self.alt_target)
def test_get_routers_tags(self):
def test_get_router_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_routers_tags', self.target)
self.context, 'get_router:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_routers_tags', self.alt_target)
self.context, 'get_router:tags', self.alt_target)
def test_update_router(self):
self.assertRaises(
@@ -292,15 +292,15 @@ class SystemAdminTests(RouterAPITestCase):
self.context, 'update_router:enable_default_route_ecmp',
self.alt_target)
def test_update_routers_tags(self):
def test_update_router_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_routers_tags', self.target)
self.context, 'update_router:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_routers_tags', self.alt_target)
self.context, 'update_router:tags', self.alt_target)
def test_delete_router(self):
self.assertRaises(
@@ -312,15 +312,15 @@ class SystemAdminTests(RouterAPITestCase):
policy.enforce,
self.context, 'delete_router', self.alt_target)
def test_delete_routers_tags(self):
def test_delete_router_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_routers_tags', self.target)
self.context, 'delete_router:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_routers_tags', self.alt_target)
self.context, 'delete_router:tags', self.alt_target)
def test_add_router_interface(self):
self.assertRaises(
@@ -425,11 +425,11 @@ class AdminTests(RouterAPITestCase):
'create_router:external_gateway_info:external_fixed_ips',
self.alt_target))
def test_create_routers_tags(self):
def test_create_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_routers_tags', self.target))
policy.enforce(self.context, 'create_router:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_routers_tags',
policy.enforce(self.context, 'create_router:tags',
self.alt_target))
def test_update_router_enable_default_route_bfd(self):
@@ -476,11 +476,11 @@ class AdminTests(RouterAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'get_router:ha', self.alt_target))
def test_get_routers_tags(self):
def test_get_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_routers_tags', self.target))
policy.enforce(self.context, 'get_router:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_routers_tags', self.alt_target))
policy.enforce(self.context, 'get_router:tags', self.alt_target))
def test_update_router(self):
self.assertTrue(
@@ -544,11 +544,11 @@ class AdminTests(RouterAPITestCase):
'update_router:external_gateway_info:external_fixed_ips',
self.alt_target))
def test_update_routers_tags(self):
def test_update_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_routers_tags', self.target))
policy.enforce(self.context, 'update_router:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'update_routers_tags',
policy.enforce(self.context, 'update_router:tags',
self.alt_target))
def test_delete_router(self):
@@ -557,11 +557,11 @@ class AdminTests(RouterAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'delete_router', self.alt_target))
def test_delete_routers_tags(self):
def test_delete_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_routers_tags', self.target))
policy.enforce(self.context, 'delete_router:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_routers_tags',
policy.enforce(self.context, 'delete_router:tags',
self.alt_target))
def test_add_router_interface(self):
@@ -663,13 +663,13 @@ class ProjectManagerTests(AdminTests):
'create_router:external_gateway_info:external_fixed_ips',
self.alt_target)
def test_create_routers_tags(self):
def test_create_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_routers_tags', self.target))
policy.enforce(self.context, 'create_router:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_routers_tags', self.alt_target)
self.context, 'create_router:tags', self.alt_target)
def test_update_router_enable_default_route_bfd(self):
self.assertRaises(
@@ -727,13 +727,13 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'get_router:ha', self.alt_target)
def test_get_routers_tags(self):
def test_get_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_routers_tags', self.target))
policy.enforce(self.context, 'get_router:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_routers_tags', self.alt_target)
self.context, 'get_router:tags', self.alt_target)
def test_update_router(self):
self.assertTrue(
@@ -811,13 +811,13 @@ class ProjectManagerTests(AdminTests):
'update_router:external_gateway_info:external_fixed_ips',
self.alt_target)
def test_update_routers_tags(self):
def test_update_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_routers_tags', self.target))
policy.enforce(self.context, 'update_router:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_routers_tags', self.alt_target)
self.context, 'update_router:tags', self.alt_target)
def test_delete_router(self):
self.assertTrue(
@@ -827,13 +827,13 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'delete_router', self.alt_target)
def test_delete_routers_tags(self):
def test_delete_router_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_routers_tags', self.target))
policy.enforce(self.context, 'delete_router:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_routers_tags', self.alt_target)
self.context, 'delete_router:tags', self.alt_target)
def test_add_router_interface(self):
self.assertTrue(
@@ -901,15 +901,15 @@ class ProjectReaderTests(ProjectMemberTests):
self.context, 'create_router:external_gateway_info:network_id',
self.alt_target)
def test_create_routers_tags(self):
def test_create_router_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_routers_tags', self.target)
self.context, 'create_router:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_routers_tags', self.alt_target)
self.context, 'create_router:tags', self.alt_target)
def test_update_router(self):
self.assertRaises(
@@ -945,15 +945,15 @@ class ProjectReaderTests(ProjectMemberTests):
self.context, 'update_router:external_gateway_info:network_id',
self.alt_target)
def test_update_routers_tags(self):
def test_update_router_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_routers_tags', self.target)
self.context, 'update_router:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_routers_tags', self.alt_target)
self.context, 'update_router:tags', self.alt_target)
def test_delete_router(self):
self.assertRaises(
@@ -965,15 +965,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'delete_router', self.alt_target)
def test_delete_routers_tags(self):
def test_delete_router_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_routers_tags', self.target)
self.context, 'delete_router:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_routers_tags', self.alt_target)
self.context, 'delete_router:tags', self.alt_target)
def test_add_router_interface(self):
self.assertRaises(
@@ -1178,11 +1178,11 @@ class ServiceRoleTests(RouterAPITestCase):
'create_router:external_gateway_info:external_fixed_ips',
self.target)
def test_create_routers_tags(self):
def test_create_router_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_routers_tags', self.target)
self.context, 'create_router:tags', self.target)
def test_get_router(self):
self.assertRaises(

94
neutron/tests/unit/conf/policies/test_security_group.py
View File

@@ -46,15 +46,15 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce,
self.context, 'create_security_group', self.alt_target)
def test_create_security_groups_tags(self):
def test_create_security_group_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_security_groups_tags', self.target)
self.context, 'create_security_group:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_security_groups_tags', self.alt_target)
self.context, 'create_security_group:tags', self.alt_target)
def test_get_security_group(self):
self.assertRaises(
@@ -66,15 +66,15 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce,
self.context, 'get_security_group', self.alt_target)
def test_get_security_groups_tags(self):
def test_get_security_group_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_security_groups_tags', self.target)
self.context, 'get_security_group:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_security_groups_tags', self.alt_target)
self.context, 'get_security_group:tags', self.alt_target)
def test_update_security_group(self):
self.assertRaises(
@@ -86,15 +86,15 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce,
self.context, 'update_security_group', self.alt_target)
def test_update_security_groups_tags(self):
def test_update_security_group_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_security_groups_tags', self.target)
self.context, 'update_security_group:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_security_groups_tags', self.alt_target)
self.context, 'update_security_group:tags', self.alt_target)
def test_delete_security_group(self):
self.assertRaises(
@@ -106,15 +106,15 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce,
self.context, 'delete_security_group', self.alt_target)
def test_delete_security_groups_tags(self):
def test_delete_security_group_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_security_groups_tags', self.target)
self.context, 'delete_security_group:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_security_groups_tags', self.alt_target)
self.context, 'delete_security_group:tags', self.alt_target)
class SystemMemberSecurityGroupTests(SystemAdminSecurityGroupTests):
@@ -144,12 +144,12 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce(
self.context, 'create_security_group', self.alt_target))
def test_create_security_groups_tags(self):
def test_create_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_security_groups_tags',
policy.enforce(self.context, 'create_security_group:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'create_security_groups_tags',
policy.enforce(self.context, 'create_security_group:tags',
self.alt_target))
def test_get_security_group(self):
@@ -159,12 +159,12 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce(
self.context, 'get_security_group', self.alt_target))
def test_get_security_groups_tags(self):
def test_get_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_security_groups_tags',
policy.enforce(self.context, 'get_security_group:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'get_security_groups_tags',
policy.enforce(self.context, 'get_security_group:tags',
self.alt_target))
def test_update_security_group(self):
@@ -174,12 +174,12 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce(
self.context, 'update_security_group', self.alt_target))
def test_update_security_groups_tags(self):
def test_update_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_security_groups_tags',
policy.enforce(self.context, 'update_security_group:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'update_security_groups_tags',
policy.enforce(self.context, 'update_security_group:tags',
self.alt_target))
def test_delete_security_group(self):
@@ -189,12 +189,12 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce(
self.context, 'delete_security_group', self.alt_target))
def test_delete_security_groups_tags(self):
def test_delete_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_security_groups_tags',
policy.enforce(self.context, 'delete_security_group:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_security_groups_tags',
policy.enforce(self.context, 'delete_security_group:tags',
self.alt_target))
@@ -212,14 +212,14 @@ class ProjectManagerSecurityGroupTests(AdminSecurityGroupTests):
policy.enforce,
self.context, 'create_security_group', self.alt_target)
def test_create_security_groups_tags(self):
def test_create_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_security_groups_tags',
policy.enforce(self.context, 'create_security_group:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_security_groups_tags', self.alt_target)
self.context, 'create_security_group:tags', self.alt_target)
def test_get_security_group(self):
self.assertTrue(
@@ -229,13 +229,13 @@ class ProjectManagerSecurityGroupTests(AdminSecurityGroupTests):
policy.enforce,
self.context, 'get_security_group', self.alt_target)
def test_get_security_groups_tags(self):
def test_get_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_security_groups_tags',
policy.enforce(self.context, 'get_security_group:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized, policy.enforce,
self.context, 'get_security_groups_tags', self.alt_target)
self.context, 'get_security_group:tags', self.alt_target)
def test_update_security_group(self):
self.assertTrue(
@@ -245,13 +245,13 @@ class ProjectManagerSecurityGroupTests(AdminSecurityGroupTests):
policy.enforce,
self.context, 'update_security_group', self.alt_target)
def test_update_security_groups_tags(self):
def test_update_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_security_groups_tags',
policy.enforce(self.context, 'update_security_group:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_security_groups_tags',
policy.enforce, self.context, 'update_security_group:tags',
self.alt_target)
def test_delete_security_group(self):
@@ -262,13 +262,13 @@ class ProjectManagerSecurityGroupTests(AdminSecurityGroupTests):
policy.enforce,
self.context, 'delete_security_group', self.alt_target)
def test_delete_security_groups_tags(self):
def test_delete_security_group_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_security_groups_tags',
policy.enforce(self.context, 'delete_security_group:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized, policy.enforce,
self.context, 'delete_security_groups_tags', self.alt_target)
self.context, 'delete_security_group:tags', self.alt_target)
class ProjectMemberSecurityGroupTests(ProjectManagerSecurityGroupTests):
@@ -294,15 +294,15 @@ class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
policy.enforce,
self.context, 'create_security_group', self.alt_target)
def test_create_security_groups_tags(self):
def test_create_security_group_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_security_groups_tags', self.target)
self.context, 'create_security_group:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_security_groups_tags', self.alt_target)
self.context, 'create_security_group:tags', self.alt_target)
def test_update_security_group(self):
self.assertRaises(
@@ -314,15 +314,15 @@ class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
policy.enforce,
self.context, 'update_security_group', self.alt_target)
def test_update_security_groups_tags(self):
def test_update_security_group_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_security_groups_tags', self.target)
self.context, 'update_security_group:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_security_groups_tags', self.alt_target)
self.context, 'update_security_group:tags', self.alt_target)
def test_delete_security_group(self):
self.assertRaises(
@@ -334,15 +334,15 @@ class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
policy.enforce,
self.context, 'delete_security_group', self.alt_target)
def test_delete_security_groups_tags(self):
def test_delete_security_group_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_security_groups_tags', self.target)
self.context, 'delete_security_group:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_security_groups_tags', self.alt_target)
self.context, 'delete_security_group:tags', self.alt_target)
class ServiceRoleSecurityGroupTests(SecurityGroupAPITestCase):
@@ -357,11 +357,11 @@ class ServiceRoleSecurityGroupTests(SecurityGroupAPITestCase):
policy.enforce,
self.context, 'create_security_group', self.target)
def test_create_security_groups_tags(self):
def test_create_security_group_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_security_groups_tags', self.target)
self.context, 'create_security_group:tags', self.target)
def test_get_security_group(self):
self.assertRaises(

160
neutron/tests/unit/conf/policies/test_subnet.py
View File

@@ -160,23 +160,23 @@ class SystemAdminTests(SubnetAPITestCase):
self.context, 'create_subnet:service_types',
self.alt_target_own_net)
def test_create_subnets_tags(self):
def test_create_subnet_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnets_tags', self.target)
self.context, 'create_subnet:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnets_tags', self.target_net_alt_target)
self.context, 'create_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnets_tags', self.alt_target)
self.context, 'create_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnets_tags', self.alt_target_own_net)
self.context, 'create_subnet:tags', self.alt_target_own_net)
def test_get_subnet(self):
self.assertRaises(
@@ -218,27 +218,27 @@ class SystemAdminTests(SubnetAPITestCase):
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
def test_get_subnets_tags(self):
def test_get_subnet_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.target)
self.context, 'get_subnet:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.target_net_alt_target)
self.context, 'get_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.target_net_ext_alt_target)
self.context, 'get_subnet:tags', self.target_net_ext_alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target)
self.context, 'get_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target_own_net)
self.context, 'get_subnet:tags', self.alt_target_own_net)
def test_update_subnet(self):
self.assertRaises(
@@ -297,23 +297,23 @@ class SystemAdminTests(SubnetAPITestCase):
self.context, 'update_subnet:service_types',
self.alt_target_own_net)
def test_update_subnets_tags(self):
def test_update_subnet_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.target)
self.context, 'update_subnet:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.target_net_alt_target)
self.context, 'update_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.context, 'update_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target_own_net)
self.context, 'update_subnet:tags', self.alt_target_own_net)
def test_delete_subnet(self):
self.assertRaises(
@@ -333,23 +333,23 @@ class SystemAdminTests(SubnetAPITestCase):
policy.enforce,
self.context, 'delete_subnet', self.alt_target_own_net)
def test_delete_subnets_tags(self):
def test_delete_subnet_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.target)
self.context, 'delete_subnet:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.target_net_alt_target)
self.context, 'delete_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.context, 'delete_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target_own_net)
self.context, 'delete_subnet:tags', self.alt_target_own_net)
class SystemMemberTests(SystemAdminTests):
@@ -416,17 +416,17 @@ class AdminTests(SubnetAPITestCase):
self.context, 'create_subnet:service_types',
self.alt_target_own_net))
def test_create_subnets_tags(self):
def test_create_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags', self.target))
policy.enforce(self.context, 'create_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags',
policy.enforce(self.context, 'create_subnet:tags',
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags',
policy.enforce(self.context, 'create_subnet:tags',
self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags',
policy.enforce(self.context, 'create_subnet:tags',
self.alt_target_own_net))
def test_get_subnet(self):
@@ -458,19 +458,19 @@ class AdminTests(SubnetAPITestCase):
self.context, 'get_subnet:segment_id',
self.alt_target_own_net))
def test_get_subnets_tags(self):
def test_get_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags', self.target))
policy.enforce(self.context, 'get_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.target_net_ext_alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags', self.alt_target))
policy.enforce(self.context, 'get_subnet:tags', self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.alt_target_own_net))
def test_update_subnet(self):
@@ -513,17 +513,17 @@ class AdminTests(SubnetAPITestCase):
policy.enforce(
self.context, 'update_subnet:service_types', self.alt_target))
def test_update_subnets_tags(self):
def test_update_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags', self.target))
policy.enforce(self.context, 'update_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
policy.enforce(self.context, 'update_subnet:tags',
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
policy.enforce(self.context, 'update_subnet:tags',
self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
policy.enforce(self.context, 'update_subnet:tags',
self.alt_target_own_net))
def test_delete_subnet(self):
@@ -538,17 +538,17 @@ class AdminTests(SubnetAPITestCase):
policy.enforce(self.context, 'delete_subnet',
self.alt_target_own_net))
def test_delete_subnets_tags(self):
def test_delete_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags', self.target))
policy.enforce(self.context, 'delete_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
policy.enforce(self.context, 'delete_subnet:tags',
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
policy.enforce(self.context, 'delete_subnet:tags',
self.alt_target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
policy.enforce(self.context, 'delete_subnet:tags',
self.alt_target_own_net))
@@ -612,18 +612,18 @@ class ProjectManagerTests(AdminTests):
self.context, 'create_subnet:service_types',
self.alt_target_own_net)
def test_create_subnets_tags(self):
def test_create_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags', self.target))
policy.enforce(self.context, 'create_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags',
policy.enforce(self.context, 'create_subnet:tags',
self.target_net_alt_target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.alt_target)
self.context, 'create_subnet:tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'create_subnets_tags',
policy.enforce(self.context, 'create_subnet:tags',
self.alt_target_own_net))
def test_get_subnet(self):
@@ -661,21 +661,21 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
def test_get_subnets_tags(self):
def test_get_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags', self.target))
policy.enforce(self.context, 'get_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.target_net_alt_target))
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.target_net_ext_alt_target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnets_tags', self.alt_target)
self.context, 'get_subnet:tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'get_subnets_tags',
policy.enforce(self.context, 'get_subnet:tags',
self.alt_target_own_net))
def test_update_subnet(self):
@@ -731,18 +731,18 @@ class ProjectManagerTests(AdminTests):
self.context, 'update_subnet:service_types',
self.alt_target_own_net)
def test_update_subnets_tags(self):
def test_update_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags', self.target))
policy.enforce(self.context, 'update_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
policy.enforce(self.context, 'update_subnet:tags',
self.target_net_alt_target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.context, 'update_subnet:tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'update_subnets_tags',
policy.enforce(self.context, 'update_subnet:tags',
self.alt_target_own_net))
def test_delete_subnet(self):
@@ -759,18 +759,18 @@ class ProjectManagerTests(AdminTests):
policy.enforce(self.context, 'delete_subnet',
self.alt_target_own_net))
def test_delete_subnets_tags(self):
def test_delete_subnet_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags', self.target))
policy.enforce(self.context, 'delete_subnet:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
policy.enforce(self.context, 'delete_subnet:tags',
self.target_net_alt_target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.context, 'delete_subnet:tags', self.alt_target)
self.assertTrue(
policy.enforce(self.context, 'delete_subnets_tags',
policy.enforce(self.context, 'delete_subnet:tags',
self.alt_target_own_net))
@@ -805,23 +805,23 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'create_subnet', self.alt_target_own_net)
def test_create_subnets_tags(self):
def test_create_subnet_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.target)
self.context, 'create_subnet:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.target_net_alt_target)
self.context, 'create_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.alt_target)
self.context, 'create_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.alt_target_own_net)
self.context, 'create_subnet:tags', self.alt_target_own_net)
def test_update_subnet(self):
self.assertRaises(
@@ -841,23 +841,23 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'update_subnet', self.alt_target_own_net)
def test_update_subnets_tags(self):
def test_update_subnet_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.target)
self.context, 'update_subnet:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.target_net_alt_target)
self.context, 'update_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target)
self.context, 'update_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnets_tags', self.alt_target_own_net)
self.context, 'update_subnet:tags', self.alt_target_own_net)
def test_delete_subnet(self):
self.assertRaises(
@@ -877,23 +877,23 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'delete_subnet', self.alt_target_own_net)
def test_delete_subnets_tags(self):
def test_delete_subnet_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.target)
self.context, 'delete_subnet:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.target_net_alt_target)
self.context, 'delete_subnet:tags', self.target_net_alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target)
self.context, 'delete_subnet:tags', self.alt_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnets_tags', self.alt_target_own_net)
self.context, 'delete_subnet:tags', self.alt_target_own_net)
class ServiceRoleTests(SubnetAPITestCase):
@@ -920,11 +920,11 @@ class ServiceRoleTests(SubnetAPITestCase):
policy.enforce,
self.context, 'create_subnet:service_types', self.target)
def test_create_subnets_tags(self):
def test_create_subnet_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnets_tags', self.target)
self.context, 'create_subnet:tags', self.target)
def test_get_subnet(self):
self.assertRaises(

106
neutron/tests/unit/conf/policies/test_subnetpool.py
View File

@@ -63,15 +63,15 @@ class SystemAdminTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'create_subnetpool:is_default', self.alt_target)
def test_create_subnetpools_tags(self):
def test_create_subnetpool_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnetpools_tags', self.target)
self.context, 'create_subnetpool:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_subnetpools_tags', self.alt_target)
self.context, 'create_subnetpool:tags', self.alt_target)
def test_get_subnetpool(self):
self.assertRaises(
@@ -83,15 +83,15 @@ class SystemAdminTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'get_subnetpool', self.alt_target)
def test_get_subnetpools_tags(self):
def test_get_subnetpool_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnetpools_tags', self.target)
self.context, 'get_subnetpool:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_subnetpools_tags', self.alt_target)
self.context, 'get_subnetpool:tags', self.alt_target)
def test_update_subnetpool(self):
self.assertRaises(
@@ -113,15 +113,15 @@ class SystemAdminTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'update_subnetpool:is_default', self.alt_target)
def test_update_subnetpools_tags(self):
def test_update_subnetpool_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnetpools_tags', self.target)
self.context, 'update_subnetpool:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_subnetpools_tags', self.alt_target)
self.context, 'update_subnetpool:tags', self.alt_target)
def test_delete_subnetpool(self):
self.assertRaises(
@@ -133,15 +133,15 @@ class SystemAdminTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'delete_subnetpool', self.alt_target)
def test_delete_subnetpools_tags(self):
def test_delete_subnetpool_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.target)
self.context, 'delete_subnetpool:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.alt_target)
self.context, 'delete_subnetpool:tags', self.alt_target)
def test_onboard_network_subnets(self):
self.assertRaises(
@@ -216,11 +216,11 @@ class AdminTests(SubnetpoolAPITestCase):
policy.enforce(
self.context, 'create_subnetpool:default', self.alt_target))
def test_create_subnetpools_tags(self):
def test_create_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_subnetpools_tags',
policy.enforce(self.context, 'create_subnetpool:tags',
self.target))
self.assertTrue(policy.enforce(self.context, 'create_subnetpools_tags',
self.assertTrue(policy.enforce(self.context, 'create_subnetpool:tags',
self.alt_target))
def test_get_subnetpool(self):
@@ -229,11 +229,11 @@ class AdminTests(SubnetpoolAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'get_subnetpool', self.alt_target))
def test_get_subnetpools_tags(self):
def test_get_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_subnetpools_tags', self.target))
policy.enforce(self.context, 'get_subnetpool:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'get_subnetpools_tags',
policy.enforce(self.context, 'get_subnetpool:tags',
self.alt_target))
def test_update_subnetpool(self):
@@ -250,12 +250,12 @@ class AdminTests(SubnetpoolAPITestCase):
policy.enforce(
self.context, 'update_subnetpool:default', self.alt_target))
def test_update_subnetpools_tags(self):
def test_update_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_subnetpools_tags',
policy.enforce(self.context, 'update_subnetpool:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'update_subnetpools_tags',
policy.enforce(self.context, 'update_subnetpool:tags',
self.alt_target))
def test_delete_subnetpool(self):
@@ -264,12 +264,12 @@ class AdminTests(SubnetpoolAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'delete_subnetpool', self.alt_target))
def test_delete_subnetpools_tags(self):
def test_delete_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_subnetpools_tags',
policy.enforce(self.context, 'delete_subnetpool:tags',
self.target))
self.assertTrue(
policy.enforce(self.context, 'delete_subnetpools_tags',
policy.enforce(self.context, 'delete_subnetpool:tags',
self.alt_target))
def test_onboard_network_subnets(self):
@@ -327,14 +327,14 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'create_subnetpool:is_default', self.alt_target)
def test_create_subnetpools_tags(self):
def test_create_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_subnetpools_tags',
policy.enforce(self.context, 'create_subnetpool:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnetpools_tags', self.alt_target)
self.context, 'create_subnetpool:tags', self.alt_target)
def test_get_subnetpool(self):
self.assertTrue(
@@ -344,13 +344,13 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'get_subnetpool', self.alt_target)
def test_get_subnetpools_tags(self):
def test_get_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'get_subnetpools_tags', self.target))
policy.enforce(self.context, 'get_subnetpool:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnetpools_tags', self.alt_target)
self.context, 'get_subnetpool:tags', self.alt_target)
def test_update_subnetpool(self):
self.assertTrue(
@@ -370,14 +370,14 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'update_subnetpool:is_default', self.alt_target)
def test_update_subnetpools_tags(self):
def test_update_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'update_subnetpools_tags',
policy.enforce(self.context, 'update_subnetpool:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnetpools_tags', self.alt_target)
self.context, 'update_subnetpool:tags', self.alt_target)
def test_delete_subnetpool(self):
self.assertTrue(
@@ -387,14 +387,14 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'delete_subnetpool', self.alt_target)
def test_delete_subnetpools_tags(self):
def test_delete_subnetpool_tags(self):
self.assertTrue(
policy.enforce(self.context, 'delete_subnetpools_tags',
policy.enforce(self.context, 'delete_subnetpool:tags',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.alt_target)
self.context, 'delete_subnetpool:tags', self.alt_target)
def test_onboard_network_subnets(self):
self.assertTrue(
@@ -445,15 +445,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'create_subnetpool', self.alt_target)
def test_create_subnetpools_tags(self):
def test_create_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnetpools_tags', self.target)
self.context, 'create_subnetpool:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnetpools_tags', self.alt_target)
self.context, 'create_subnetpool:tags', self.alt_target)
def test_update_subnetpool(self):
self.assertRaises(
@@ -465,15 +465,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'update_subnetpool', self.alt_target)
def test_update_subnetpools_tags(self):
def test_update_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnetpools_tags', self.target)
self.context, 'update_subnetpool:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnetpools_tags', self.alt_target)
self.context, 'update_subnetpool:tags', self.alt_target)
def test_delete_subnetpool(self):
self.assertRaises(
@@ -485,15 +485,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'delete_subnetpool', self.alt_target)
def test_delete_subnetpools_tags(self):
def test_delete_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.target)
self.context, 'delete_subnetpool:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.alt_target)
self.context, 'delete_subnetpool:tags', self.alt_target)
def test_onboard_network_subnets(self):
self.assertRaises(
@@ -538,11 +538,11 @@ class ServiceRoleTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'create_subnetpool', self.target)
def test_create_subnetpools_tags(self):
def test_create_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_subnetpools_tags', self.target)
self.context, 'create_subnetpool:tags', self.target)
def test_create_subnetpool_shared(self):
self.assertRaises(
@@ -562,11 +562,11 @@ class ServiceRoleTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'get_subnetpool', self.target)
def test_get_subnetpools_tags(self):
def test_get_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'get_subnetpools_tags', self.target)
self.context, 'get_subnetpool:tags', self.target)
def test_update_subnetpool(self):
self.assertRaises(
@@ -580,11 +580,11 @@ class ServiceRoleTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'update_subnetpool:is_default', self.target)
def test_update_subnetpools_tags(self):
def test_update_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_subnetpools_tags', self.target)
self.context, 'update_subnetpool:tags', self.target)
def test_delete_subnetpool(self):
self.assertRaises(
@@ -592,11 +592,11 @@ class ServiceRoleTests(SubnetpoolAPITestCase):
policy.enforce,
self.context, 'delete_subnetpool', self.target)
def test_delete_subnetpools_tags(self):
def test_delete_subnetpool_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'delete_subnetpools_tags', self.target)
self.context, 'delete_subnetpool:tags', self.target)
def test_onboard_network_subnets(self):
self.assertRaises(

46
neutron/tests/unit/conf/policies/test_trunk.py
View File

@@ -43,15 +43,15 @@ class SystemAdminTests(TrunkAPITestCase):
policy.enforce,
self.context, 'create_trunk', self.alt_target)
def test_create_trunks_tags(self):
def test_create_trunk_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_trunks_tags', self.target)
self.context, 'create_trunk:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_trunks_tags', self.alt_target)
self.context, 'create_trunk:tags', self.alt_target)
def test_get_trunk(self):
self.assertRaises(
@@ -63,15 +63,15 @@ class SystemAdminTests(TrunkAPITestCase):
policy.enforce,
self.context, 'get_trunk', self.alt_target)
def test_get_trunks_tags(self):
def test_get_trunk_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_trunks_tags', self.target)
self.context, 'get_trunk:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'get_trunks_tags', self.alt_target)
self.context, 'get_trunk:tags', self.alt_target)
def test_update_trunk(self):
self.assertRaises(
@@ -83,15 +83,15 @@ class SystemAdminTests(TrunkAPITestCase):
policy.enforce,
self.context, 'update_trunk', self.alt_target)
def test_update_trunks_tags(self):
def test_update_trunk_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_trunks_tags', self.target)
self.context, 'update_trunk:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_trunks_tags', self.alt_target)
self.context, 'update_trunk:tags', self.alt_target)
def test_delete_trunk(self):
self.assertRaises(
@@ -103,15 +103,15 @@ class SystemAdminTests(TrunkAPITestCase):
policy.enforce,
self.context, 'delete_trunk', self.alt_target)
def test_delete_trunks_tags(self):
def test_delete_trunk_tags(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_trunks_tags', self.target)
self.context, 'delete_trunk:tags', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'delete_trunks_tags', self.alt_target)
self.context, 'delete_trunk:tags', self.alt_target)
def test_get_subports(self):
self.assertRaises(
@@ -170,11 +170,11 @@ class AdminTests(TrunkAPITestCase):
self.assertTrue(
policy.enforce(self.context, 'create_trunk', self.alt_target))
def test_create_trunks_tags(self):
def test_create_trunk_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_trunks_tags', self.target))
policy.enforce(self.context, 'create_trunk:tags', self.target))
self.assertTrue(
policy.enforce(self.context, 'create_trunks_tags',
policy.enforce(self.context, 'create_trunk:tags',
self.alt_target))
def test_get_trunk(self):
@@ -228,13 +228,13 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'create_trunk', self.alt_target)
def test_create_trunks_tags(self):
def test_create_trunk_tags(self):
self.assertTrue(
policy.enforce(self.context, 'create_trunks_tags', self.target))
policy.enforce(self.context, 'create_trunk:tags', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_trunks_tags', self.alt_target)
self.context, 'create_trunk:tags', self.alt_target)
def test_get_trunk(self):
self.assertTrue(
@@ -308,15 +308,15 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'create_trunk', self.alt_target)
def test_create_trunks_tags(self):
def test_create_trunk_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_trunks_tags', self.target)
self.context, 'create_trunk:tags', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_trunks_tags', self.alt_target)
self.context, 'create_trunk:tags', self.alt_target)
def test_update_trunk(self):
self.assertRaises(
@@ -371,11 +371,11 @@ class ServiceRoleTests(TrunkAPITestCase):
policy.enforce,
self.context, 'create_trunk', self.target)
def test_create_trunks_tags(self):
def test_create_trunk_tags(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_trunks_tags', self.target)
self.context, 'create_trunk:tags', self.target)
def test_get_trunk(self):
self.assertRaises(

152
neutron/tests/unit/extensions/test_tagging.py
View File

@@ -14,7 +14,10 @@
# under the License.
#
from unittest import mock
import netaddr
from neutron_lib.api import attributes
from neutron_lib import constants as n_const
from neutron_lib import context
from neutron_lib.utils import net as net_utils
@@ -42,19 +45,51 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
tenant_id=self.project_id,
is_admin=False)
self.tc = tagging.TaggingController()
mock.patch.dict(
attributes.RESOURCES,
{
'floatingips': {
'id': {'primary_key': True},
'router_id': {'required_by_policy': True},
'tenant_id': {'required_by_policy': True}
},
'network_segment_ranges': {
'id': {'primary_key': True},
'project_id': {'required_by_policy': True}
},
'policies':
{
'id': {'primary_key': True},
'tenant_id': {'required_by_policy': True}
},
'routers':
{
'id': {'primary_key': True},
'tenant_id': {'required_by_policy': True}
},
'security_groups':
{
'id': {'primary_key': True},
'tenant_id': {'required_by_policy': True}
},
'trunks':
{
'id': {'primary_key': True},
'port_id': {'required_by_policy': True},
'tenant_id': {'required_by_policy': True}
}
}
).start()
def test_all_parents_have_a_reference(self):
def test_all_ovo_cls_have_a_reference(self):
tc_supported_resources = set(self.tc.supported_resources.keys())
parent_resources = set(tagging.PARENTS.keys())
self.assertEqual(tc_supported_resources, parent_resources)
ovo_resources = set(tagging.OVO_CLS.keys())
self.assertEqual(tc_supported_resources, ovo_resources)
def _check_resource_info(self, parent_id, parent_type,
upper_parent_id=None, upper_parent_type=None):
p_id = self.tc.supported_resources[parent_type] + '_id'
res = self.tc._get_resource_info(self.ctx, {p_id: parent_id})
reference = tagging.ResourceInfo(
self.project_id, parent_type, parent_id,
upper_parent_type, upper_parent_id)
def _check_resource_info(self, obj, obj_type):
id_key = self.tc.supported_resources[obj_type] + '_id'
res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})
reference = tagging.ResourceInfo(self.project_id, obj_type, obj)
self.assertEqual(reference, res)
def test__get_resource_info_floatingips(self):
@@ -78,26 +113,51 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
self.ctx, id=fip_id, project_id=self.project_id,
floating_network_id=ext_net_id, floating_port_id=fip_port_id,
floating_ip_address=ip_address).create()
self._check_resource_info(fip_id, 'floatingips')
expected_fip = {
'attributes_to_update': ['tags'],
'id': fip_id,
'tenant_id': self.project_id,
'project_id': self.project_id
}
self._check_resource_info(expected_fip, 'floatingips')
def test__get_resource_info_network_segment_ranges(self):
srange_id = uuidutils.generate_uuid()
network_segment_range_obj.NetworkSegmentRange(
self.ctx, id=srange_id, project_id=self.project_id,
shared=False, network_type=n_const.TYPE_GENEVE).create()
self._check_resource_info(srange_id, 'network_segment_ranges')
shared=False, network_type=n_const.TYPE_GENEVE,
minimum=1, maximum=100).create()
expected_segment = {
'attributes_to_update': ['tags'],
'id': srange_id,
'project_id': self.project_id
}
self._check_resource_info(expected_segment, 'network_segment_ranges')
def test__get_resource_info_networks(self):
net_id = uuidutils.generate_uuid()
network_obj.Network(
self.ctx, id=net_id, project_id=self.project_id).create()
self._check_resource_info(net_id, 'networks')
expected_net = {
'attributes_to_update': ['tags'],
'id': net_id,
'tenant_id': self.project_id,
'project_id': self.project_id,
'shared': False,
}
self._check_resource_info(expected_net, 'networks')
def test__get_resource_info_policies(self):
qos_id = uuidutils.generate_uuid()
policy_obj.QosPolicy(
self.ctx, id=qos_id, project_id=self.project_id).create()
self._check_resource_info(qos_id, 'policies')
expected_qos = {
'attributes_to_update': ['tags'],
'id': qos_id,
'tenant_id': self.project_id,
'project_id': self.project_id
}
self._check_resource_info(expected_qos, 'policies')
def test__get_resource_info_ports(self):
net_id = uuidutils.generate_uuid()
@@ -111,20 +171,40 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
self.ctx, id=port_id, project_id=self.project_id,
mac_address=mac, network_id=net_id, admin_state_up=True,
status='UP', device_id='', device_owner='').create()
self._check_resource_info(port_id, 'ports')
expected_port = {
'attributes_to_update': ['tags'],
'id': port_id,
'tenant_id': self.project_id,
'project_id': self.project_id,
'network_id': net_id,
'status': 'UP',
}
self._check_resource_info(expected_port, 'ports')
def test__get_resource_info_routers(self):
router_id = uuidutils.generate_uuid()
router_obj.Router(
self.ctx, id=router_id, project_id=self.project_id).create()
self._check_resource_info(router_id, 'routers')
expected_router = {
'attributes_to_update': ['tags'],
'id': router_id,
'tenant_id': self.project_id,
'project_id': self.project_id
}
self._check_resource_info(expected_router, 'routers')
def test__get_resource_info_security_groups(self):
sg_id = uuidutils.generate_uuid()
securitygroup_obj.SecurityGroup(
self.ctx, id=sg_id, project_id=self.project_id,
is_default=True).create()
self._check_resource_info(sg_id, 'security_groups')
expected_sg = {
'attributes_to_update': ['tags'],
'id': sg_id,
'tenant_id': self.project_id,
'project_id': self.project_id
}
self._check_resource_info(expected_sg, 'security_groups')
def test__get_resource_info_subnets(self):
net_id = uuidutils.generate_uuid()
@@ -136,9 +216,16 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
self.ctx, id=subnet_id, project_id=self.project_id,
ip_version=n_const.IP_VERSION_4, cidr=cidr,
network_id=net_id).create()
self._check_resource_info(subnet_id, 'subnets',
upper_parent_id=net_id,
upper_parent_type='networks')
expected_subnet = {
'attributes_to_update': ['tags'],
'id': subnet_id,
'ip_version': n_const.IP_VERSION_4,
'shared': False,
'network_id': net_id,
'tenant_id': self.project_id,
'project_id': self.project_id
}
self._check_resource_info(expected_subnet, 'subnets')
def test__get_resource_info_subnetpools(self):
sp_id = uuidutils.generate_uuid()
@@ -146,7 +233,17 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
self.ctx, id=sp_id, project_id=self.project_id,
ip_version=n_const.IP_VERSION_4, default_prefixlen=26,
min_prefixlen=28, max_prefixlen=26).create()
self._check_resource_info(sp_id, 'subnetpools')
expected_sp = {
'attributes_to_update': ['tags'],
'id': sp_id,
'tenant_id': self.project_id,
'project_id': self.project_id,
'ip_version': n_const.IP_VERSION_4,
'shared': False,
'is_default': False,
'prefixes': [],
}
self._check_resource_info(expected_sp, 'subnetpools')
def test__get_resource_info_trunks(self):
trunk_id = uuidutils.generate_uuid()
@@ -164,9 +261,16 @@ class TaggingControllerDbTestCase(testlib_api.WebTestCase):
trunk_obj.Trunk(
self.ctx, id=trunk_id, project_id=self.project_id,
port_id=port_id).create()
self._check_resource_info(trunk_id, 'trunks')
expected_trunk = {
'attributes_to_update': ['tags'],
'id': trunk_id,
'tenant_id': self.project_id,
'project_id': self.project_id,
'port_id': port_id
}
self._check_resource_info(expected_trunk, 'trunks')
def test__get_resource_info_parent_not_present(self):
def test__get_resource_info_object_not_present(self):
missing_id = uuidutils.generate_uuid()
p_id = self.tc.supported_resources['trunks'] + '_id'
res = self.tc._get_resource_info(self.ctx, {p_id: missing_id})

15
releasenotes/notes/rename-tags-related-api-policies-7173629378ee9d02.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
upgrade:
- |
Names of the actions related to the ``tags`` attribute for various resources
in the API policy rules have changed. Old names like
"<action>_<resource_plural_name>_tags", for example, "update_networks_tags"
are changed to the new pattern "<action>_<resource_singular>:tags",
for example, "update_network:tags"
deprecations:
- |
Old names of the API policy actions related to the ``tags`` attribute for
various resources with pattern like "<action>_<resource_plural_name>_tags"
are now deprecated. If there are custom rules defined for those actions in
the Neutron policy file, please update them to the new pattern which is
"<action>_<resource_singular>:tags".